Make Theia sidecar/stack secure, add an ability to use new JWT auth on a per-workspace basis #11410
Conversation
…binding time Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
garagatyi
requested review from
ibuziuk,
skabashnyuk,
mshaposhnik and
sleshchenko
|
ci-test |
benoitf
added
the
status/code-review
|
Results of automated E2E tests of Eclipse Che Multiuser on OCP: |
benoitf
added
the
kind/enhancement
|
ci-test |
|
Results of automated E2E tests of Eclipse Che Multiuser on OCP: |
|
@eclipse/eclipse-che-qa Please, take a look at the report |
| @@ -27,6 +27,8 @@ | |||
| * @author Alexander Garagatyi | |||
| */ | |||
| public class RestartPolicyRewriter implements ConfigurationProvisioner { | |||
| public static final int RESTART_POLICY_SET_TO_NEVER = 4104; | |||
There was a problem hiding this comment.
I think it makes sense to place warning codes in one place, like Constants class.
There was a problem hiding this comment.
Make sense, but it is not related to this particular PR I suppose. Can you create an issue for that?
There was a problem hiding this comment.
I could but I afraid it won't get needed priority to be fixed.
I think it makes sense to do it only in part of a code that is changed in this PR. But I'm OK to leave it as it is.
| import org.eclipse.che.inject.ConfigurationException; | ||
| import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment; | ||
|
|
||
| /** | ||
| * Provides implementation of {@link SecureServerExposerFactory} according to configuration property | ||
| * with name `che.server.secure_exposer`. | ||
| * or workspace config attribute with name `che.server.secure_exposer`. |
There was a problem hiding this comment.
It makes sense to rewrite this java doc to make clear priority of different configuration sources.
|
|
||
| if (isAuthEnabled) { | ||
| // enable per-workspace security with JWT proxy for sidecar based WS | ||
| // because it is the only WS security implementation supported for now |
There was a problem hiding this comment.
please, don't use WS abbreviation where it is possible since there is a collision with Workspace and WebSocket meaning.
|
Selenium tests execution on Eclipse Che Multiuser on OCP (https://ci.codenvycorp.com/job/che-pullrequests-test-ocp/892/) doesn't show any regression against this Pull Request. |
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
garagatyi
force-pushed
the
secureWSNEXT
branch
from
2f13706 to
b698aec
Compare
benoitf
removed
the
status/code-review
What does this PR do?
This PR is designed to be reviewed in a commit-by-commit manner. The scope of each commit is very limited to the purpose described in its message.
Description of why:
In sidecar-based workspaces with Theia sidecar, we can not use current security mechanism. To overcome it Che platform team implemented JWTProxy based implementation. We can switch these implementations for the whole Che, but this is not enough in a case when old workspaces are mostly used but sidecar-based workspaces evaluation is needed. Since JWTProxy based auth wasn't tested well enough as it is a non-default option I decided to switch only sidecar-based workspaces to it.
Description of what:
Adds an ability to enable workspace security implementation on a per-workspace basis.
Enables JWTProxy based security to sidecar-based workspaces if authentication is enabled in Che.
Adds
secureandcookiesAuthEnabledattributes to Theia stacks, so they are secure on a multiuser Che in contrast to the current state in master.Adds other small fixes, such as fixing warning codes for workspace starting components.
Description of how:
In ServersConverter I used SecureServerExposerFactoryProvider to create SecureServerExposerFactory directly and removed its binding from the DI container.
Then I added an argument to the get() method of the provider. It accepts KubernetesEnvironment as an argument. The provider now does the deccision on what security implementation should be used not just by checking global Che property but also by looking at KuberneterEnvironment attributes KuberneterEnvironment.getAttributes(). When attribute che.server.secure_exposer is present in the environment and contains bound implementation the provider uses this implementation instead of the globally configured with the property with the same name. If there is no attribute or implementation not found the provider falls back to the globally configured implementation.
Then in che.server.secure_exposer I added code that adds attribute che.server.secure_exposer with value jwtproxy if authentication is enabled in Che.
How to test it:
Prerequsites:
Theia will work in secure sidecar-based workspaces only after applying this PR and populating it to your che-plugin-registry instance and applying PR to the plugin broker.
What issues does this PR fix or reference?
To vitness working sidecar-based Theia secured in multi-user Che PRs need to be merged:
eclipse-che/che-plugin-broker#11
https://github.com/ws-skeleton/che-editor-theia/pull/7
Fixes redhat-developer/rh-che#853
Release Notes
Docs PR